WECP Talent Analytics Inc. and WECP Private Limited (collectively, “WECP”) implement the following technical and organizational measures to maintain the security of their services and the personal data they process in connection with the use of their services:
Anonymization
WECP anonymizes customer personal data upon request by substituting all tables in scope containing personal data with random or dummy data so that data subjects are no longer identifiable.
End-to-End Encryption
Encryption in Transit:
Data in transit is encrypted using FIPS-compliant TLS/SSL protocols via HTTPS. WECP employs 2048-bit asymmetric keys for the SSL/TLS handshake and uses AES-256 or AES-128 bit keys, depending on the client browser. WECP uses the SHA-256 cipher on the SSL/TLS session to ensure the integrity of encrypted data.
Encryption at Rest:
Data at rest is encrypted using 256-bit AES encryption. WECP utilizes Amazon Relational Database Service (RDS) for encryption of data at rest. Amazon RDS-encrypted instances use the industry-standard AES-256 encryption algorithm. Once encrypted, Amazon RDS handles authentication of access and decryption of data transparently. Encryption keys are stored in a separate Amazon Key Management System (KMS). Only specified users can access the KMS, and encryption keys do not persist anywhere in the storage layer.
Ongoing Confidentiality, Integrity, Availability, and Resiliency
Cloud Platform:
The WECP platform is built on a secure cloud services platform, incorporating a multi-tiered architecture that offers enhanced security and mitigates single points of failure. Each tier has its own Access Control List and rule set to restrict access and enable secure communication. Data is logically segregated, and all access is controlled through certificate-based authentication.
Anti-Virus:
WECP implements industry-standard anti-virus/malware software operating in real-time on all servers, laptops, and desktops.
Defense:
WECP implements defense and proactive security procedures, including perimeter defense, network security monitoring, and intrusion detection systems. Industry-standard firewalls protect our application environment and associated data from the Internet and untrusted networks. Server, firewall, and other security-related configurations are kept up-to-date in line with industry standards. Firewall events are monitored to detect potential security events.
Access:
WECP limits access to personal data on a “least privilege” basis, granting access to the minimum number of personnel necessary to maintain our systems and provide services to customers.
Confidentiality:
WECP employees sign a comprehensive confidentiality agreement upon accepting an employment offer. Any contractor who accesses WECP facilities or customer data must also sign a confidentiality agreement protective of customer data. WECP employees undergo security and privacy training as part of their onboarding process and annually thereafter, which includes information security policies, security best practices, and privacy protections.
InfoSec Team:
Our Information Security team approves all WECP applications accessible from the Internet prior to launch or implementation. Inbound and outbound connections are denied unless expressly allowed.
Regular Testing, Assessing, and Evaluating Effectiveness
Security Testing:
At least once per year, WECP engages an independent third-party security expert to conduct internal and external network, system, and application vulnerability assessments. This includes automated and manual application security testing, SSL server tests, penetration testing, and continuous risk monitoring of all WECP properties and third-party applications.
Software Scanning:
WECP uses commercially available virus-checking software to scan its software for, and remove, any malicious components (e.g., computer virus, worm, time bomb) that could, in any material way, damage customer software, firmware, or hardware. WECP uses commercially reasonable efforts to reduce or eliminate the effects of any virus or harmful item and to mitigate and restore any loss of data or operational efficiency.
Ensuring Ability to Restore Availability and Access to Personal Data
Business Continuity:
WECP maintains a formal Business Continuity Plan to be implemented in the event of a disaster or other potential disruption of business operations.
Backups:
WECP performs regular backups of its systems and customer data, providing data recovery and archiving in accordance with WECP’s policies and procedures, which may include leveraging Multi Availability Zones. In the event of a failover condition from WECP’s primary data location, WECP can engage a secondary location to continue providing services.
User Identification and Authorization
Employee Access:
Employees with access to production environments are required to use SSH private keys for secure login. Remote access to systems by employees is via a VPN with two-factor authentication. Passwords are changed regularly. Employees are prohibited from sharing their username or password with others. WECP promptly revokes access to customer data and WECP systems upon employee termination or resignation. WECP regularly monitors company servers and devices to track access and detect indications of suspicious or unauthorized activity.
Platform Access:
WECP limits platform access to privileged users through email and password authentication or single sign-on (SSO). SSO is facilitated via WECP partners or a customer’s preferred SAML 2.0-compliant solution. Logical or network access to infrastructure storing customer data is restricted and allowed only on a need-to-know basis. Access requests are documented and approved based on necessity, and access rights are reviewed periodically.
Physical Security
Serverless Environment:
WECP operates a primarily serverless environment, entirely hosted in the cloud and utilizing the shared cloud security model. Equipment hosting customer data is located in physically secured data centers maintained by Amazon or Google.
Remote Workforce:
WECP maintains a fully remote workforce without a physical office. Physical access to infrastructure housing customer data is restricted and allowed only based on a need-to-know basis and solely on company-owned equipment.
Event Logging and Monitoring
WECP maintains a security logging and monitoring process that identifies potential security violations in near-real time. Logs are regularly reviewed (at intervals commensurate with risk) either manually or using log parsing tools. WECP uses automated alerts to detect security events, and these alerts are communicated to authorized personnel for appropriate handling. WECP assigns engineers to monitor, investigate, and remediate any events and alerts as necessary.
We log events impacting platform security, including but not limited to login failures, use of privileged accounts, or changes to access models or file permissions, installed software or operating system, user permissions, privileges, or use of privileged system functions. APIs are utilized to retrieve audit logs of all actions taken by any user(s).
System Configuration
WECP has implemented an Agile Software Development Lifecycle, followed by a multi-stage review process that enables efficient deployment of new features and fixes with industry-standard best practices. Development, Quality Assurance, Staging, and Production environments are isolated to reduce the risk of unintended changes and maintain environment integrity and availability. Baseline systems with hardened security configurations and vulnerability fixes are utilized in the Production environment. System configuration is applied and maintained by software tools that ensure configurations remain consistent with default specifications.
IT Security Governance and Management
Device Encryption:
All employee devices are encrypted and managed through an MDM solution. Employees undergo routine security training and self-assessment. WECP assigns roles and responsibilities within and among departments to ensure proper segregation of duties.
Privacy Officers:
WECP appoints a Chief Information Security Officer (CISO) to ensure that data and platform security, availability, integrity, confidentiality, and privacy are continually maintained. WECP also appoints a Data Protection Officer (DPO) to ensure compliance with applicable data protection laws.
Certifications
WECP is ISO27001-certified and maintains SOC 2 Type 2 Service Organization Controls. WECP conducts an annual SOC 2 Type 2 audit.
Data Minimization
Limited Processing:
Use of WECP services requires processing only the limited personal data necessary to provide the services to customers or as otherwise agreed upon with the customer.
Retention:
WECP retains personal data for the limited time specified in the applicable customer agreement. Periodic assessments are conducted to evaluate the necessity of storing each instance of personal data.
Data Quality
Customer Control:
WECP services allow customers to perform data creation, reading, updating, and deletion operations within the services. Customers maintain control over their data within the WECP services and may export their data directly. Customers can also retrieve or delete/erase data from the services by submitting a request within the services.
Segregation:
Each customer’s data is logically segregated from that of other customers, using a unique ID associated with each customer that persists throughout the data lifecycle and is enforced at each layer of the platform.
Limited Data Retention, Portability, Erasure
Retention and Backup:
Personal data is retained according to the terms agreed upon by WECP and the customer or as otherwise required by law. Customer data is routinely and frequently backed up and made available to the respective customer on demand.
Accountability
Audit Logging:
WECP maintains an audit log within its services that records all CRUD (Create, Read, Update, Delete) operations on the customer account, including details such as name, email, timestamp, IP address, and actions performed, all of which are immutable. Logging and monitoring are enabled within the WECP infrastructure to facilitate event/incident investigation.